########################
# BUILDER
########################
FROM rust:latest AS builder
WORKDIR /app
ARG BIN=cw
# 1) Prime dependency cache
COPY Cargo.toml Cargo.lock* ./
# If this is a workspace: still OK; dummy src compiles top-level deps
RUN mkdir -p src && echo "fn main() {}" > src/main.rs
# Build deps with cache (requires BuildKit)
RUN --mount=type=cache,target=/usr/local/cargo/registry \
--mount=type=cache,target=/app/target \
cargo build --release || true
# 2) Build real binary
COPY . .
RUN --mount=type=cache,target=/usr/local/cargo/registry \
--mount=type=cache,target=/app/target \
cargo build --release --locked --bin ${BIN}
# strip for smaller size
RUN apt-get update && apt-get install -y --no-install-recommends binutils \
&& rm -rf /var/lib/apt/lists/*
RUN strip target/release/${BIN} || true
########################
# RUNTIME
########################
FROM debian:bookworm-slim
# minimal runtime bits
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates tzdata libcap2 \
&& rm -rf /var/lib/apt/lists/*
# non-root user
RUN groupadd --system --gid 10001 cw && \
useradd --system --no-create-home --uid 10001 --gid 10001 --shell /usr/sbin/nologin cw
# copy binary
ARG BIN=cw
COPY --from=builder /app/target/release/${BIN} /usr/bin/${BIN}
# default workdir inside container; mount your repo here
WORKDIR /app
USER cw:cw
ENTRYPOINT ["/usr/bin/cw"]